What is claimed is: 

1 1. An elliptic curve arithmetic operation device for 

2 performing one of an addition and a doubling on an elliptic curve 

3 E: y " * 2=f (x) on a residue class ring of polynomials in two 

4 variables a and (3, moduli of the residue class ring being 

5 polynomials 0 2-f (a) and h(a), where f (a) =a ~ 3+aa+b, a and b are 

6 constants, and h (a) is a polynomial in the variable a, the 

7 elliptic curve arithmetic operation device comprising : 

8 acquiring means for acquiring affine coordinates of at least 

9 one point on the elliptic curve E and operation information 

10 indicating one of the addition and the doubling, from an external 

11 source; 

12 transforming means for performing a coordinate transformation 

13 on the acquired affine coordinates to generate Jacobian 

14 coordinates, the coordinate transformation being transforming 

15 affine coordinates (<p (a) ,j3x<p (or) ) of a given point on the elliptic 

16 curve E using polynomials 

17 X(a)=f (a) *<p(a) 

18 Y(a)=f(a) ~2*<p(a) 

19 Z (a) =1 

20 into Jacobian coordinates (X (a) : Y (a) : 0*Z (a) ) , 0(a) and <p(a) 

21 being polynomials; and 

22 operating means for performing one of the addition and the 

23 doubling indicated by the acquired operation information, on the 
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24 generated Jacobian coordinates to obtain Jacobian coordinates of 

25 a point on the elliptic curve E. 

1 2. The elliptic curve arithmetic operation device of Claim 

2 1, 

3 wherein the acquiring means 

4 (a) in a first case acquires affine coordinates of two 

5 different points on the elliptic curve E and operation 

6 information indicating the addition, and 

7 (b) in a second case acquires affine coordinates of a single 
8- point on the elliptic curve E and operation information 
9 indicating the doubling, 

10 wherein the transforming means 

11 (a) in the first case performs the coordinate transformation 

12 on the acquired affine coordinates of the two different points to 

13 generate Jacobian coordinates of the two different points, and 

14 (b) in the second case performs the coordinate transformation 

15 on the acquired affine coordinates of the single point to 

16 generate Jacobian coordinates of the single point, and 

17 wherein the operating means 

18 (a) in the first case performs the addition indicated by the 

19 acquired operation information on the generated Jacobian 

20 coordinates of the two different points to obtain the Jacobian 

21 coordinates of the point on the elliptic curve E, and 
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22 (b) in the second case performs the doubling indicated by the 

23 acquired operation information on the generated Jacobian 

24 coordinates of the single point to obtain the Jacobian 

25 coordinates of the point on the elliptic curve E. 

1 3. The elliptic curve arithmetic operation device of Claim 

2 2, 

3 wherein in the first case 

4 the acquiring means acquires affine coordinates 

5 (XI (a) ,/3*Yl(cr)) 

6 (X2(a) ,/3*Y2(a)) 

7 of the two different points on the elliptic curve E and the 

8 operation information indicating the addition, 

9 the transforming means performs the coordinate transformation 

10 on the acquired affine coordinates of the two different points to 

11 generate Jacobian coordinates 

12 (XI (a) : Yl (a) :(3*Z1 (a) ) 

13 (X2 (a) :Y2 (a) :/3xZ2 (a) ) 

14 of the two different points, and 

15 the operating means computes 

16 Ul (a) =X1 (a) *Z2 (a) ~2 

17 U2 (a) =X2 (a) *Z1 (a) ~2 

18 SI (a) =Y1 (a) *Z2 (a) " 3 

19 S2 (a) =Y2 (a) *Z1 (a) ~3 
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20 H(a) =U2 (a) -Ul (a) 

21 r(a)=S2(a)-Sl (a) 

22 and computes 

23 X3 (a)=-H(a) " 3-2 *U1 (a) *H (a) ~ 2-hr (a) ~2 

24 Y3 (a)=-Sl (a) *H(a) ~ 3+r (a) * (Ul (a) *H (a) ~ 2-X3 (a) ) 

25 Z3 (a) =Z1 (a) *Z2 (a) *H(a) 

26 to obtain Jacobian coordinates (X3 (a) : Y3 (a) : (3*Z3 (a) ) of the 

27 point on the elliptic curve E. 

1 4. The elliptic curve arithmetic operation device of Claim 

2 2, 

3 wherein in the second case 

4 the acquiring means acquires affine coordinates 

5 (XI (a) ,0*Y1 (a)) 

6 of the single point on the elliptic curve E and the operation 

7 information indicating the doubling, 

8 the transforming means performs the coordinate transformation 

9 on the acquired affine coordinates of the single point to 

10 generate Jacobian coordinates 

11 (XI (a) : Yl (a) :p*Zl (a) ) 

12 of the single point, and 

13 the operating means computes 

14 S (a) =4 xxi (a) x Yl (a) ~ 2 

15 M(a)=3*Xl (a) ~2+a*Zl(a) ~4*f(a) ~2 
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16 T(a)=-2xS(ct)+M(a) 2 

17 and computes 

18 X3(a)=T(a) 

19 Y3(a)=-8*Yl(a) ~ 4+M (a) * (S (a) -T (a) ) 

20 Z3 (a) =2*Y1 (a) *Z1 (a) 

21 to obtain Jacobian coordinates (X3 (a) : Y3 (a) : /3*Z3 (a) ) of the 

22 point on the elliptic curve E. 

1 5, The elliptic curve arithmetic operation device of Claim 

2 2, 

3 wherein the acquiring means 

4 (a) in the first case acquires affine coordinates 

5 (XI (a) ,0xYl (a)) 

6 (X2(a) ,(3*Y2(a)) 

7 of the two different points on the elliptic curve E and the 

8 operation information indicating the addition, and 

9 (b) in the second case acquires affine coordinates 

10 (XI (a) ,J3*Y1 (a)) 

11 of the single point on the elliptic curve E and the operation 

12 information indicating the doubling, 

13 wherein the transforming means 

14 (a) in the first case performs the coordinate transformation 

15 on the acquired affine coordinates of the two different points to 

16 generate Jacobian coordinates 
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17 (XI (a) : Yl (a) :/3*Zl (a) ) 

18 (X2 (a) : Y2 (a) :/3*Z2 (a) ) 

19 of the two different points, and 

20 (b) in the second case performs the coordinate transformation 

21 on the acquired affine coordinates of the single point to 

22 generate Jacobian coordinates 

23 (XI (a) : Yl (a) :/3*Zl (a) ) 

24 of the single point, and 

25 wherein the operating means 

26 (a) in the first case computes 

27 Ul (a) =X1 (a) *Z2 (a) ~2 

28 U2 (a) =X2 (a) *Z1 (a) " 2 

29 SI (a) =Y1 (a) *Z2 (a) '3 

30 S2 (a) =Y2 (a) *Z1 (a) ~3 

31 H (a) =U2 (a) -Ul (a) 

32 r (a) =S2 (a) -SI (a) 

33 and computes 

34 X3(a)=-H(a) ~ 3-2*Ul (a) *H (a) ' 2+r (a) ~2 

35 Y3 (a) =-Sl (a) *H (a) ~ 3+r (a) x (Ul (a) *H (a) ~ 2-X3 (a) ) 

36 Z3 (a) =Z1 (a) *Z2 (a) *H (a) 

37 to obtain Jacobian coordinates (X3 (a) : Y3 (a) : /3*Z3 (a) ) of the 

38 point on the elliptic curve E, and 

39 (b) in the second case computes 

40 S (a) =4 *X1 (a) *Y1 (a) '2 
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41 M(a)=3*Xl (a) 2+a*Zl(a) 4*f(a) 2 

42 T(a)=- 2*S(a)+M(a) ~2 

43 and computes 

44 X3 (a) =T (a) 

45 Y3 (a)=-8*Yl (a) ~ 4+M (a) * (S (a) -T (a) ) 

46 Z3 (a) =2*Y1 (a) *Z1 (a) 

47 to obtain the Jacobian coordinates (X3 (a) :Y3 (a) : /3*Z3 (a) ) of 

48 the point on the elliptic curve E. 

1 6. An elliptic curve order computation device for computing 

2. an order of an elliptic curve according to a Schoof-Elkies-Atkin 

3 algorithm, comprising the elliptic curve arithmetic operation 

4 device of Claim 1. 

1 "7. The elliptic curve order computation device of Claim 6 

2 comprising the elliptic curve arithmetic operation device of 

3 Claim 2 . 

1 8. The elliptic curve order computation device of Claim 7 

2 comprising the elliptic curve arithmetic operation device of 

3 Claim 5. 

1 9. An elliptic curve construction device for determining 

2 parameters of an elliptic curve E which is defined over a finite 



78 



3 field GF(p) and offers a high level of security, p being a prime, 

4 the elliptic curve construction device comprising: 

5 random number generating means for generating a random 

6 number; 

7 parameter generating means for selecting the parameters of 

8 the elliptic curve E using the generated random number, in such 

9 a manner that a probability of a discriminant of the elliptic 

10 curve E having any square factor is lower than a predetermined 

11 threshold value; 

12 finitude judging means for judging whether the elliptic curve 

13 E defined by the selected parameters has any point whose order is 

14 finite on a rational number field; 

15 order computing means for computing an order m of the 

16 elliptic curve E when the finitude judging means judges that the 

17 elliptic curve E does not have any point whose order is finite on 

18 the rational number field; 

19 security judging means for judging whether a condition that 

20 the computed order in is a prime not equal to the prime p is 

21 satisfied; 

22 repeat controlling means for controlling the random number 

23 generating means, the parameter generating means, the finitude 

24 judging means, the order computing means, and the security 

25 judging means respectively to repeat random number generation, 

26 parameter Selection, finitude judgement^, order computation, and 
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27 security j udgement /until the condition is satisfied; and 

28 parameter outputting means for outputting the selected 

29 parameters when the condition is satisfied* 

1 10. The elliptic curve construction device of Claim 9, 

2 wherein the elliptic curve E is expressed as y ~ 2=x ~3-fax-/-jb, 

3 where parameters a and b are constants, and 

4 wherein the parameter generating means selects -3 and the 

5 random number respectively as the parameters a and b so that the 

6 probability of the discriminant of the elliptic curve E having 

7 any square factor is lower than the predetermined threshold 

8 value. 

1 11. The elliptic curve construction device of Claim 10, 

2 wherein the finitude judging means, given two primes pi and 

3 p2 beforehand where pl*p2, interprets the elliptic curve E as an 

4 elliptic curve EQ on the rational number field, computes orders 

5 ml and m2 of respective elliptic curves Epl and Ep2 which are 

6 produced by reducing the elliptic curve EQ modulo pi and p2, 

7 judges whether the orders ml and m2 are relatively prime, and, if 

8 the orders ml and m2 are relatively prime, judges that the 

9 elliptic curve E does not have any point whose order is finite on 
10 the rational number field. 
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1 12. The elliptic curve construction device of Claim 11, 

2 wherein the finitude judging means, given the primes pl=5 and 

3 p2=7 beforehand, computes the orders ml and m2 of the respective 

4 elliptic curves Epl and Ep2 produced by reducing the elliptic 

5 curve EQ modulo pl=5 and p2=7. 

1 13. The elliptic curve construction device of Claim 11, 

2 wherein the order computing means computes the order m of the 

3 elliptic curve E according to a Schoof -Elkies-Atkin algorithm and 

4 includes 

5 elliptic curve arithmetic operating means for performing one 

6 of an addition and a doubling on the elliptic curve E : y 2=f(x) 

7 on a residue class ring of polynomials in variables a and (3, 

8 moduli of the residue class ring being polynomials (3 ~ 2-f (a) and 

9 h(a), where f (a) =a ~ 3+aa+b and h (a) is a polynomial in the 

10 variable a, 

11 wherein the elliptic curve arithmetic operating means 

12 includes the elliptic curve arithmetic operation device of Claim 

13 1. 

1 14. The elliptic curve construction device of Claim 13, 

2 wherein the elliptic curve arithmetic operating means 

3 includes the elliptic curve arithmetic operation device of Claim 

4 2. 
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1 15. The elliptic curve construction device of Claim 14 , 

2 wherein the elliptic curve arithmetic operating means 

3 includes the elliptic curve arithmetic operation device of Claim 

4 5. 

1 16. An elliptic curve application device that uses elliptic 

2 curves, comprising 

3 elliptic curve constructing means for determining parameters 

4 of an elliptic curve E which is defined over a finite field GF(p) 

5 and offers a high level of security, p being a prime, 

6 wherein the elliptic curve constructing means includes the 

7 elliptic curve construction device of Claim 9. 

1 17. The elliptic curve application device of Claim 16, 

2 wherein the elliptic curve constructing means includes the 

3 elliptic curve construction device of Claim 10. 

1 18. The elliptic curve application device of Claim 17, 

2 wherein the elliptic curve constructing means includes the 

3 elliptic curve construction device of Claim 11. 

1 19. The elliptic curve application device of Claim 18, 

2 wherein the elliptic curve constructing means includes the 
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elliptic curve construction device of Claim 12. 



1 20. The elliptic curve application device of Claim 18, 

2 wherein the elliptic curve constructing means includes the 

3 elliptic curve construction device of Claim 13. 

1 21. The elliptic curve application device of Claim 20, 

2 wherein the elliptic curve constructing means includes the 

3 elliptic curve construction device of Claim 14. 

1 22. The elliptic curve application device of Claim 21, 

2 wherein the elliptic curve constructing means includes the 

3 elliptic curve construction device of Claim 15. 

1 " 23. An elliptic curve arithmetic operation method used in an 

2 elliptic curve arithmetic operation device equipped with an 

3 acquiring means, a transforming means, and an operating means, 

4 for performing one of an addition and a doubling on an elliptic 

5 curve E: y 2=f (x) on a residue class ring of polynomials in two 

6 variables a and /?, moduli of the residue class ring being 

7 polynomials (3~2-f(a) and h(a), where f (a) =a " 3+aa+b, a and b are 

8 constants , and h (a) is a polynomial in the variable a, the 

9 elliptic curve arithmetic operation method comprising: 

10 an acquiring step performed by the acquiring means, for 
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11 acquiring affine coordinates of at least one point on the 

12 elliptic curve E and operation information indicating one of the 

13 addition and the doubling, from an external source; 

14 a transforming step performed by the transforming means, for 

15 performing a coordinate transformation on the acquired affine 

16 coordinates to generate Jacobian coordinates, the coordinate 

17 transformation being transforming affine coordinates (0 (a) ,/3*<p ( 

18 a)) of a given point on the elliptic curve E using polynomials 

19 X(a)=f (a) *<p(a) 

20 Y(a)=f(a) ~2*<p(a) 

21 Z (a) =1 

22 into Jacobian coordinates (X(a) : Y(a) :/3*Z (a) ) , 0(a) and <p(a) 

23 being polynomials; and 

24 an operating step performed by the operating means, for 

25 performing one of the addition and the doubling indicated by the 

26 acquired operation information, on the generated Jacobian 

27 coordinates to obtain Jacobian coordinates of a point on the 

28 elliptic curve E. 

1 24. An elliptic curve construction method used in an elliptic 

2 curve construction device equipped with random number generating 

3 means, parameter generating means, finitude judging means, order 

4 computing means, security judging means, repeat controlling 

5 means, and parameter outputting means, for determining parameters 
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6 of an elliptic curve E which is defined over a finite field GF(p) 

7 and offers a high level of security, p being a prime, the 

8 elliptic curve construction method comprising: 

9 a random number generating step performed by the random 

10 number generating means, for generating a random number; 

11 a parameter generating step performed by the parameter 

12 generating means, for selecting the parameters of the elliptic 

13 curve E using the generated random number, in such a manner that 

14 a probability of a discriminant of the elliptic curve E having 

15 any square factor is lower than a predetermined threshold 

16 value; 

17 a finitude judging step performed by the finitude judging 

18 means, for judging whether the elliptic curve E defined by the 

19 selected parameters has any point whose order is finite on a 

20 rational number field; 

21 an order computing step performed by the order computing 

22 means, for computing an order m of the elliptic curve E when the 

23 finitude judging step judges that the elliptic curve E does not 

24 have any point whose order is finite on the rational number 

25 field; 

26 a security judging step performed by the security judging 

27 means, for judging whether a condition that the computed order m 

28 is a prime not equal to the prime p is satisfied; 

29 a repeat controlling step performed by the repeat controlling 



85 



30 means, for controlling the random number generating step, the 

31 parameter generating step, the finitude judging step, the order 

32 computing step, and the security judging step respectively to 

33 repeat random number generation, parameter selection, finitude 

34 judgement, order computation, and security judgement until the 

35 condition is satisfied; and 

36 a parameter outputting step performed by the parameter 

37 outputting means, for outputting the selected parameters when the 

38 condition is satisfied. 

1 25. A computer-readable storage medium storing an elliptic 

2 curve arithmetic operation program used in an elliptic curve 

3 arithmetic operation device equipped with acquiring means, 

4 transforming means, and operating means, for performing one of an 

5 addition and a doubling on an elliptic curve E: y~2=f(x) on a 

6 residue class ring of polynomials in two variables a and (3, 

7 moduli of the residue class ring being polynomials (3 2-f(a) and 

8 h(a), where f (a) =a " 3+aa+b, a and b are constants, and h (a) is a 

9 polynomial in the variable a, the elliptic curve arithmetic 

10 operation program comprising: 

11 an acquiring step performed by the acquiring means, for 

12 acquiring affine coordinates of at least one point on the 

13 elliptic curve E and operation information indicating one of the 

14 addition and the doubling, from an external source; 
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15 a transforming step performed by the transforming means, for 

16 performing a coordinate transformation on the acquired affine 

17 coordinates to generate Jacobian coordinates, the coordinate 

18 transformation being transforming affine coordinates (<p (a) , /3x<p ( 

19 a) ) of a given point on the elliptic curve E using polynomials 

20 X (a) =f (a) *0(a) 

21 Y (a) =f (a) ~2*<p(a) 

22 Z (a) -1 

23 into Jacobian coordinates (X (a) :Y (a) : (3*Z (a) ) , <p(a) and <p(a) 

24 being polynomials; and 

25 an operating step performed by the operating means, for 

26 performing one of the addition and the doubling indicated by the 

27 acquired operation information, on the generated Jacobian 

28 coordinates to obtain Jacobian coordinates of a point on the 

29 elliptic curve E. 

1 26. The storage medium of Claim 25, 

2 wherein the acquiring step 

3 (a) in a first case acquires affine coordinates of two 

4 different points on the elliptic curve E and operation 

5 information indicating the addition, and 

6 (b) in a second case acquires affine coordinates of a single 

7 point on the elliptic curve E and operation information 

8 indicating the doubling, 
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9 wherein the transforming step 

10 (a) in the first case performs the coordinate transformation 

11 on the acquired affine coordinates of the two different points to 

12 generate Jacobian coordinates of the two different points, and 

13 (b) in the second case performs the coordinate transformation 

14 on the acquired affine coordinates of the single point to 

15 generate Jacobian coordinates of the single point, and 

16 wherein the operating step 

17 (a) in the first case performs the addition indicated by the 

18 acquired operation information on the generated Jacobian 
19- coordinates of the two different points to obtain the Jacobian 

20 coordinates of the point on the elliptic curve E, and 

21 (b) in the second case performs the doubling indicated by the 

22 acquired operation information on the generated Jacobian 

23 coordinates of the single point to obtain the Jacobian 

24 coordinates of the point on the elliptic curve E. 

1 27. The storage medium of Claim 26 f 

2 wherein in the first case 

3 the acquiring step acquires affine coordinates 

4 (XI (a) ,J3*Y1 (a)) 

5 k (X2(a) ,/3*Y2(a)) 

6 of the two different points on the elliptic curve E and the 

7 operation information indicating the addition, 
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8 the transforming step performs the coordinate transformation 

9 on the acquired affine coordinates of the two different points to 

10 generate Jacobian coordinates 

1 1 (XI (a) : Yl (a) :/3*Zl (a) ) 

12 (X2 (a) : Y2 (a) :0*Z2 (a) ) 

13 of the two different points, and 

14 the operating step computes 

15 Ul (a) =X1 (a) *Z2 (a) ~2 

16 U2 (a) =X2 (a) *Z1 (a) ~2 

17 SI (a) =Y1 (a) *Z2 (a) ~3 

18 S2 (a) =Y2 (a) *Z1 (a) '3 

19 H (a) =U2 (a) -Ul (a) 

20 r (a) =S2 (a) -SI (a) 

21 and computes 

22 X3 (a)=-H(a) ' 3-2 *U1 (a) *H (a) ~2+r(a) ~2 

23 Y3 (a) =-Sl (a) xtf (a) ~ 3-hr (a) * (Ul (a) *H (a) " 2-X3 (a) ) 

24 Z3 (a) =Z1 (a) *Z2 (a) *H(a) 

25 to obtain Jacobian coordinates (X3 (a) : Y3 (a) : 0*Z3 (a) ) of the 

26 point on the elliptic curve E. 

1 28. The storage medium of Claim 26, 

2 wherein in the second case 

3 the acquiring step acquires affine coordinates 

4 (XI (a) ,(3*Yl(a)) 
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5 of the single point on the elliptic curve E and the operation 

6 information indicating the doubling, 

7 the transforming step performs the coordinate transformation 

8 on the acquired affine coordinates of the single point to 

9 generate Jacobian coordinates 

10 (XI (a) : Yl (a) :p*Zl (a) ) 

11 of the single point, and 

12 the operating step computes 

13 S(a)=4 *X1 (a) x Yl (a) ~2 

14 M(a)=3*Xl (a) ~2+a*Zl(a) ~4*f(a) ~2 

15 T(a)=-2*S(a)+M(a) ~2 

16 and computes 

17 X3 (a) =T (a) 

18 Y3(a)=-8*Y1 (a) ~ 4+M (a) * (S (a) -T (a) ) 

19 Z3 (a) =2*Y1 (a) *Z1 (a) 

20 to obtain Jacobian coordinates (X3 (a) :Y3 (a) : /3*Z3 (a) ) of the 

21 point on the elliptic curve E* 

1 29. The storage medium of Claim 26, 

2 wherein the acquiring step 

3 (a) in the first case acquires affine coordinates 

4 (XI (a) ,(3*Yl(a)) 

5 (X2(cr) ,/3*Y2(a)) 

6 of the two different points on the elliptic curve E and the 



90 



7 operation information indicating the addition, and 

8 (b) in the second case acquires affine coordinates 

9 (XI (a) ,{3*Y1 (a)) 

10 of the single point on the elliptic curve E and the operation 

11 information indicating the doubling, 

12 wherein the transforming step 

13 (a) in the first case performs the coordinate transformation 

14 on the acquired affine coordinates of the two different points to 

15 generate Jacobian coordinates 

16 (XI (a) : Yl (a) : 0*Z1 (a) ) 

17 (X2 (a) : Y2 (a) :/3*Z2 (a) ) 

18 of the two different points, and 

19 (b) in the second case performs the coordinate transformation 

20 on the acquired affine coordinates of the single point to 

21 generate Jacobian coordinates 

22 (XI (a) : Yl (a) :{3*Z1 (a) ) 

23 of the single point, and 

24 wherein the operating step 

25 (a) in the first case computes 

26 Ul (a) =X1 (a) *Z2 (a) "2 

27 U2 (a) =X2 (a) *Z1 (a) ~2 

28 SI (a) =Y1 (a) *Z2 (a) ~3 

29 S2 (a) =Y2 (a) *Z1 (a) ~ 3 

30 H(a)=U2 (a) -Ul (a) 
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31 r(a)=S2(a) -SI (a) 

32 and computes 

33 X3(a)=-H(a) ~ 3-2*Ul (a) *H (a) ~2+r(a) ~2 

34 Y3 (a) —SI (a) *H(a) ~ 3+r (a) x (Ul (a) *H(a) ~ 2-X3 (a) ) 

35 Z3 (a) =Z1 (a) *Z2 (a) xH (a) 

36 to obtain Jacobian coordinates (X3 (a) : Y3 (a) :0*Z3 (a) ) of the 

37 point on the elliptic curve E, and 

38 (b) in the second case computes 

39 5 (a) =4 xxi (a) *Y1 (a) ~2 

40 M(a)=3xXl (a) ~2+axZl(a) ~ 4*f (a) " 2 

41 T(a)=-2xS(a)+M(a) ~2 

42 and computes 

43 X3(a)=T(a) 

44 Y3 (a)=-8xYl (a) ~ 4+M (a) x (s (a) -T (a) ) 

45 Z3 (a) =2xYl (a) xZl (a) 

46 to obtain the Jacobian coordinates (X3 (a) :Y3 (a) : (3*Z3 (a) ) of 

47 the point on the elliptic curve E. 

1 30. A computer-readable storage medium storing an elliptic 

2 curve construction program used in an elliptic curve construction 

3 device equipped with random number generating means, parameter 

4 generating means, finitude judging means, order computing means, 

5 security judging means, repeat controlling means, and parameter 

6 outputting means, for determining parameters of an elliptic curve 
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7 E which is defined over a finite field GF(p) and offers a high 

8 level of security, p being a prime, the elliptic curve 

9 construction program comprising: 

10 a random number generating step performed by the random 

11 number generating means, for generating a random number; 

12 a parameter generating step performed by the parameter 

13 generating means, for selecting the parameters of the elliptic 

14 curve E using the generated random number, in such a manner that 

15 a probability of a discriminant of the elliptic curve E having 

16 any square factor is lower than a predetermined threshold 

17 value; 

18 a finitude judging step performed by the finitude judging 

19 means, for judging whether the elliptic curve E defined by the 

20 selected parameters has any point whose order is finite on a 

21 rational number field; 

22 an order computing step performed by the order computing 

23 means, for computing an order m of the elliptic curve E when the 

24 finitude judging step judges that the elliptic curve E does not 

25 have any point whose order is finite on the rational number 

26 field; 

27 a security judging step performed by the security judging 

28 means, for judging whether a condition that the computed order m 

29 is a prime not equal to the prime p is satisfied; 

30 a repeat controlling step performed by the repeat controlling 
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31 means, for controlling the random number generating step, the 

32 parameter generating step, the finitude judging step, the order 

33 computing step, and the security judging step respectively to 

34 repeat random number generation, parameter selection, finitude 

35 judgement, order computation, and security judgement until the 

36 condition is satisfied; and 

37 a parameter outputting step performed by the parameter 

38 outputting means, for outputting the selected parameters when the 

39 condition is satisfied. 

1 31. The storage medium of Claim 30, 

2 wherein the elliptic curve E is expressed as y ~ 2=x ~ 3+ax+b, 

3 where parameters a and b are constants, and 

4 wherein the parameter generating step selects -3 and the 

5 random number respectively as the parameters a and b so that the 

6 probability of the discriminant of the elliptic curve E having 

7 any square factor is lower than the^ predetermined threshold 

8 value. ^ 

1 32. The storage medium of Claim 31, 

2 wherein the finitude judging step, given two primes pi and 

3 p2 beforehand where pl*p2 r interprets the elliptic curve E as an 

4 elliptic curve EQ on the rational number field, computes orders 

5 ml and m2' of respective elliptic curves Epl and Ep2 which are 
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6 produced by reducing the elliptic curve EQ modulo pi and p2, 

7 judges whether the orders ml and m2 are relatively prime, arid, if 

8 the orders ml and m2 are relatively prime, judges that the 

9 elliptic curve E does not have any point whose order is finite on 
10 the rational number field, 

1 33. The storage medium of Claim 32 , 

2 wherein the finitude judging step, given the primes pl=5 and 

3 p2=7 beforehand, computes the orders ml and m2 of the respective 

4 elliptic curves Epl and Ep2 produced by reducing the elliptic 

5 curve EQ modulo pl=5 and p2=7. 
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